Project

General

Profile

« Previous | Next » 

Revision 6816

interpret permissions as hierarchical
https://redmine.dataone.org/issues/2150

View differences:

src/edu/ucsb/nceas/metacat/dataone/D1NodeService.java
617 617

  
618 618
    boolean allowed = false;
619 619
    
620
    // permissions are hierarchical
621
    List<Permission> expandedPermissions = expandPermissions(permission);
622
    
623
    // for the "Verified" symbolic user
624
    Subject verifiedSubject = new Subject();
625
	verifiedSubject.setValue(Constants.SUBJECT_VERIFIED_USER);
626
    
620 627
    // get the subjects from the session
621 628
    List<Subject> subjects = new ArrayList<Subject>();
622 629
    if (session != null) {
......
626 633
	    }
627 634
	    SubjectInfo subjectInfo = session.getSubjectInfo();
628 635
	    if (subjectInfo != null) {
636
	    	// add the equivalent identities
629 637
	    	List<Person> personList = subjectInfo.getPersonList();
630 638
	    	if (personList != null) {
631 639
			    for (Person p: personList) {
632 640
			      subjects.add(p.getSubject());
633 641
			      if (p.getVerified()) {
634 642
			    	  // add the verified symbolic user
635
			    	  Subject verifiedSubject = new Subject();
636
			    	  verifiedSubject.setValue(Constants.SUBJECT_VERIFIED_USER);
637 643
			    	  if (!subjects.contains(verifiedSubject)) {
638 644
			    		  subjects.add(verifiedSubject);
639 645
			    	  }
640 646
			      }
641 647
			    }
642 648
	    	}
649
	    	// add the groups
643 650
	    	List<Group> groupList = subjectInfo.getGroupList();
644 651
	    	if (groupList != null) {
645 652
			    for (Group g: groupList) {
......
697 704
	    search: // label break
698 705
	    for (AccessRule accessRule: allows) {
699 706
	      for (Subject s: subjects) {
700
	        //if (accessRule.getSubjectList().contains(s)) {
701
        	for (Subject ruleSubject: accessRule.getSubjectList()) {
702
        		if (ruleSubject.equals(s)) {
703
		          allowed = accessRule.getPermissionList().contains(permission);
707
	        if (accessRule.getSubjectList().contains(s)) {
708
	        	for (Permission p: expandedPermissions) {
709
		          allowed = accessRule.getPermissionList().contains(p);
704 710
		          if (allowed) {
705 711
		        	  break search; //label break
706 712
		          }
707
        		}
713
	        	}
714
        		
708 715
	        }
709 716
	      }
710 717
	    }
......
1039 1046
	}
1040 1047
      
1041 1048
  }
1049
  
1050
  /**
1051
   * Given a Permission, returns a list of all permissions that it encompasses
1052
   * Permissions are hierarchical so that WRITE also allows READ.
1053
   * @param permission
1054
   * @return list of included Permissions for the given permission
1055
   */
1056
  protected List<Permission> expandPermissions(Permission permission) {
1057
	  	List<Permission> expandedPermissions = new ArrayList<Permission>();
1058
	    if (permission.equals(Permission.READ)) {
1059
	    	expandedPermissions.add(Permission.READ);
1060
	    }
1061
	    if (permission.equals(Permission.WRITE)) {
1062
	    	expandedPermissions.add(Permission.READ);
1063
	    	expandedPermissions.add(Permission.WRITE);
1064
	    }
1065
	    if (permission.equals(Permission.CHANGE_PERMISSION)) {
1066
	    	expandedPermissions.add(Permission.READ);
1067
	    	expandedPermissions.add(Permission.WRITE);
1068
	    	expandedPermissions.add(Permission.CHANGE_PERMISSION);
1069
	    }
1070
	    return expandedPermissions;
1071
  }
1042 1072

  
1043 1073
  /*
1044 1074
   * Write a stream to a file

Also available in: Unified diff